Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Hackers continued adding billions to the cost of doing business online in the first half of 2004, despite security executives' efforts to prevent malicious attacks. This paper identifies the most common methods of attacks and outlines a guideline for developing secure web applications.

https://www.watchfire.com/securearea/sans.aspx ************************************************************************ Highlighted Training Program of the Week SANS FIRE 2005, in Atlanta in June is SANS first training program co-sponsored with the Internet Storm Center. Attend any of thirteen immersion tracks and also learn about the Internet's early warning system and how it can tell you which of your employers' computers may have been compromised. Wonderful teachers give you material you can put to work immediately upon returning to the office and present the most current tools and techniques. Details at http://www.sans.org/sansfire2005

US Legislators Take Aim at Data Brokers (16/15 March 2005)

In the wake of the data thefts from ChoicePoint and LexisNexis, US legislators say they are considering placing new, stringent restrictions on data brokers, companies that collect and sell personal information like Social Security numbers. At a House Commerce, Trade and Consumer Protection Subcommittee hearing, ChoicePoint and LexisNexis executives said they had "scaled back the sale of sensitive personal information." Some legislators said companies should not be allowed to sell people's Social Security numbers without permission. At a Senate Banking Committee hearing, ChoicePoint VP Don McGuffey said there had been other security breaches in the past that his company had not made public. Representative Edward Markey (D-Mass.) has already introduced the Information Privacy and Security Act which asks the Federal Trade Commission to create data protection rules for data brokers. -http://www.computerworld.com/printthis/2005/0,4814,100405,00.html-http://www.usatoday.com/tech/2005-03-15-social-security-id-theft_x.htm-http://www.wired.com/news/print/0,1294,66912,00.html[Editor's Note (Schultz): A bill of this nature was inevitable because the problem of stolen personal and financial information is getting out of control. I predict that passing legislation that restricts gathering and storing personal and financial information or increases punishments for those who steal this type of information will be a long and arduous road, however. Count on lobbyists for companies that make their living off of gathering, processing and selling this kind of information doing everything they can to stifle legislation of this nature. (Pescatore): The rest of the world calls this "opt in" - if you want to sell my information, you have to get my permission first. The US needs to move to this model. Add in a uniform breach disclosure law and you have two sensible ways to drive the market to higher levels of security while minimizing the inevitable unintended consequences of legislation trying to address technology. ]

Legislators in more than 20 states have already proposed bills aimed at dealing with data theft like that recently experienced by ChoicePoint and LexisNexis. Hastily proposed measures run the risk of being overly broad or narrow, or vaguely worded, impeding effective interpretation. -http://news.com.com/2102-7348_3-5611746.html?tag=st.util.print[Editor's Note (Schultz): Legislation within states may provide critical impetus for getting some kind of federal legislation that requires better protection of personal and financial information or puts more restrictions on gathering this kind of legislation passed. ]

Major banks in New Zealand are blocking access to online banking for customers whose computers are infected with a certain brand of spyware. The banks are concerned that Marketscore interferes with secure Internet sessions because the spyware disguises itself as part of a secure session. Marketscore offers free software on its website, but when the software is downloaded, the tracking software is downloaded as well. Marketscore sells the information it collects to advertisers. The company's privacy statement says the software is used to monitor Internet behavior, including secure session activity. -http://www.smh.com.au/news/Breaking/Spyware-forces-halt-to-NZ-online-banking/2005/03/14/1110649090758.html[Editor's Note (Pescatore): This is an increasingly common practice for early adopters in the consumer facing online commerce field. If your customer is not on a safe platform from which to log-in, warn them and don't let them connect. Much more effective for both parties than dealing with all the consequences of compromised accounts. ]************************** Sponsored Link ******************************* Takes you outside the SANS site (1) Learn why "Enterprise Network Security Doesn't End with Inline-IPS." Download whitepaper at http://www.sans.org/info.php?id=737 *************************************************************************

David Jeansonne has been sentenced to six months in prison and ordered to pay US$27,100 in restitution to Microsoft for his role in distributing a Trojan horse program to unwitting WebTV subscribers. The program made their computers dial 911, resulting in a number of unnecessary emergency services responses. Jeansonne had pleaded guilty in February to causing a threat to public safety and causing damage to computers; he will also serve 6 months of home detention as part of a two-year supervised release portion of his sentence. -http://www.cio-today.com/wrldwd/story.xhtml?story_title=Man-Sentenced-in-----Computer-Virus-Case&story_id=31359&category=wrldwd[Editor's Note (Tan): This form of denial of service attack could have a big impact if it happened during in an emergency period. The threat should not be overlooked especially because VoIP is becoming pervasive ]

Former IT Manager Gets 5 Months in Prison for Breaking Into Company's System (16 March 2005)

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

IRS Employees Vulnerable to Social Engineering (16 March 2005)

Treasury Department inspectors posing as information technology help desk employees addressing a network problem were able to convince 35 IRS employees to reveal their network logon names and change their passwords to one suggested by the callers. The results show a significant improvement from a similar test conducted in 2001, when 71 of 100 IRS employees changed their passwords. -http://www.securityfocus.com/printable/news/10708[Editor's Note (Pescatore): Any day of any week you can publish a study that says "Company/Agency X Employees Vulnerable to Social Engineering." Caveperson Og fell for the old Pleistocene Shiny Rock swap scam and today people are still falling for the Nigerian Banking scam. People will be people and security controls need assume that and make it harder for them to hurt themselves. ]

US federal agencies will face additional requirements when they are graded on next year's security report card. The Federal Information Security Management Act of 2002 requires that agencies categorize their applications and systems according to the impact a major security breach would have on their ability to operate. In addition, agencies will be required to comply with minimum security control standards for federal systems by December 2006; the standards are described in the National Institute of Standards and Technology Special Report 800-53. -http://www.fcw.com/article88317-03-16-05-Web

As part of Microsoft's Security Update Validation Program, government agencies will receive notice about Microsoft patches a month before they are released to the public. The patches will be released to the Air Force where they will be tested; the Department of Homeland Security will inform agencies of the vulnerabilities and will distribute tested patches after they have been released to the public. Certain business customers are also eligible for the closed beta early access program. -http://www.informationweek.com/story/showArticle.jhtml?articleID=159401297

The National Institute of Standards and Technology (NIST) has posted for public comment a new draft of NIST Special Publication 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode of Authentication. This draft document specifies the CMAC algorithm, a cipher-based algorithm for a message authentication code (MAC). Like any MAC algorithm, CMAC is designed to provide assurance of the authenticity of data, and hence its integrity, among parties that share the secret key. CMAC is based on an approved block cipher such as the AES algorithm or TDEA.

NIST will accept public comments on the draft until April 25, 2005; comments may be sent by email to EncryptionModes@nist.gov. A link to a PDF file of the draft is available at -http://csrc.nist.gov/publications/drafts.html. Information about NIST's overall effort to update and develop block cipher modes of operation is available at -http://nist.gov/modes.===end===

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visithttp://portal.sans.org